cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco Community Designated VIP Class of 2020

How to - Syslog messages from firepower to cssp appliance and finally to Cisco threat response

423
Views
0
Helpful
0
Comments

1. You want syslog events 430001? (Snort ips alerts) My scenario was FirePower services for ASA not FTD

Answer: Add logging host to your intrusion policy pointing to your CSSP appliance.

 

2. You want syslog events sent for file and malware?

Answer: Add another line in rsyslog.d/1-ips file on your CSSP specifying 430005. You can copy the line with 430001 and and change the second line from 430001 to 430005. Adjust your fmc access control policy in the logging tab adding checkbox for file and malware. Add your CSSP server as the receiver.

:rawmsg,contains,"430001", -/opt/cssp/logs/events/events.log

:rawmsg,contains,"430005", -/opt/cssp/logs/events/events.log

&~

 

3. You want Security Intelligence events sent to CSSP?

Answer: Change your current syslog entry in DNS, URL, and IP security intelligence section of your access control policy pointing the logging to your CSSP server. You will need to add another entry into your CSSP server rsyslog.d/1-ips file to include these messages. Create an additional line copying the line with 430001 but changing the number to 430002.

:rawmsg,contains,"430001", -/opt/cssp/logs/events/events.log

:rawmsg,contains,"430002", -/opt/cssp/logs/events/events.log

&~

 

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here